Why your board needs to get much more involved with security

C-level executives across the board are tasked with managing company security risks. Unfortunately, while a security breach gets immediate attention from the board, the infrastructure and systems needed to recover from, and prevent against another hit, have never been boardroom fare.

Chief Information Security Officers (CISOs) need to engage with their boards to ensure their organizations understand and manage “information risk” appropriately while delivering their strategic objectives. One of the key things that I consistently hear in my dealings with CISOs and boards around the world is that the corporate risk landscape is maturing and evolving at a speed that many organizations are fighting to keep up with.

Highly publicized breaches and more stringent regulation have put the spotlight on information security in most global organizations. As information security moves up senior management and the board’s agenda, pressure will continue to mount.

CISOs must be able to shape the message and relay their successes to the board to sustain high-level support for information security initiatives. It is imperative moving forward that CISOs understand and deliver on heightened stakeholder expectations relating to information security governance and information risk management.

The executive perspective

When I look at the whole range of cyber from a senior-executive perspective, I see it as one that’s full of possibilities, provided organizations clearly understand where the risks are and they’ve made sensible decisions about how they’re going to run their business. It requires organizations to think differently about aspects of their business, the people that they do business with, and the people they share their data with.

To manage this risk-reward balance, security chiefs must drive engagement across their organizations. This starts with changing the conversation to resonate with top decision-makers and align with business objectives — explaining how information security can assist the organization to meet its business objectives while effectively managing risk. Those who can embrace this dynamism will achieve better results, for themselves and their organizations.

Engagement is a way of life that security chiefs must adopt. The successful ones are doing so, while some are struggling for a number of reasons, including, but not limited to:

No established relationship between the board and Internet security departments

The board still struggles to understand the relevance and importance of security

The existing information security department struggles to communicate the message through the various channels to the boardroom

To be effective requires the right people operating at the right level that are able to communicate the requirements of cyber security in the language of the business and drive cyber resilience throughout the enterprise as a cultural change. We all operate in cyber space, and now boards and their cyber security directors need to step up to the challenge.

Getting it right

In recent years global businesses have seen the pressure from continuous regulatory compliance increases. For years, external threats such as worms and viruses were information security’s main driver; however all that changed when we first saw compliance becoming a board-level issue. But compliance is not good security; good security results in compliance.

The modern CISO builds a platform that will make implementing any future mandated regulatory changes easier, resulting in a positive review from regulators. They also promote investment to build compliance programs, thus managing the business safely and soundly well before the regulator needs to intervene. For instance, CISOs in the US working in financial services, one of the most regulated industries, are talking about collaborating to address security risks. Now that President Obama has put the issue on his agenda, organizations are trying to improve how they manage information risk before the regulator mandates it. Indeed, with the threat landscape rapidly changing, regulatory pressure on CISOs is unlikely to ease any time soon.

For an organization such as a large insurance company, there is clearly a business link between these areas and the potential negative impact of a breach or loss of data. While not reporting to the board, the CISO here has a direct line to the risk committee and is increasingly asked to prepare board inputs around issues of privacy, brand impact, and the protection of intellectual property and personally identifiable information (PII). It’s critical that the CISO have the ability to look into the business strategy in order to understand information security risk and then translate that by acting as the liaison to the compliance, legal, public relations and security teams. Viewing the organization’s security status from a business perspective ensures the attention of the board.

Don’t get left behind

From cyber to insider, organizations have varying degrees of control over evolving security threats. With the speed and complexity of the threat landscape changing on an almost daily basis, all too often we are seeing businesses being left behind, sometimes in the wake of reputational and financial damage.

Organizations on a global scale need to take stock now to ensure they are fully prepared to deal with these ever-emerging challenges. There is a real opportunity for security departments and business departments to combine within organizations to get their arms around how they’re going to deal with this issue of reputational risk because it’s very real. We’ve seen some great examples of this already this year and expect this to continue as we move into 2014.

Steve Durbin is global vice president of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.